b'                        U.S. Department of Agriculture\n\n                           Office of Inspector General\n                            Financial & IT Operations\n\n\n\n\n              Audit Report\n\nFiscal Year 2007 Federal Information Security\n          Management Act Report\n\n\n\n\n                              Report No. 50501-11-FM\n                                     September 2007\n\x0c                UNITED STATES DEPARTMENT OF AGRICULTURE\n                            OFFICE OF INSPECTOR GENERAL\n\n                                 Washington D.C. 20250\n\n\n\n\nSeptember 26, 2007\n\n\n\nThe Honorable Jim Nussle\nDirector\nOffice of Management and Budget\nEisenhower Executive Office Building\n1650 Pennsylvania Avenue NW.\nWashington, D.C. 20503\n\nSubject: Fiscal Year 2007 Federal Information Security Management Act Report\n\nDear Director Nussle:\n\nThis report presents the results of our audits of the Department of Agriculture\xe2\x80\x99s\n(USDA) efforts to improve the management and security of its information technology\n(IT) resources. USDA and its agencies have taken numerous actions to improve the\nsecurity over their IT resources; however, additional actions are still needed to establish\nan effective security program.\n\nSincerely,\n\n\n/s/\n\nPhyllis K. Fong\nInspector General\n\x0cExecutive Summary\nFiscal Year 2007 Federal Information Security Management Act Report (Audit Report\nNo. 50501-11-FM)\n\nResults in Brief    The efforts of the U.S. Department of Agriculture\xe2\x80\x99s (USDA) Office of the\n                    Chief Information Officer (OCIO) and the Office of Inspector General (OIG)\n                    in the past several years have heightened program management\xe2\x80\x99s awareness\n                    of the need to plan and implement effective information technology (IT)\n                    security. OCIO has improved its oversight in several areas during this fiscal\n                    year. For example, the inventory of agency systems had significantly\n                    improved. In other areas, such as the certification and accreditation (C&A)\n                    process, improvements were noted, but additional work is still needed. The\n                    Department has advanced in the past several years, but much more work is\n                    needed to address the IT material control weaknesses that continue to impact\n                    this large and complex organization.\n\n                    The continuing material IT control weaknesses within the Department are\n                    due to the lack of an effective overall Departmentwide plan. The Department\n                    needs to coordinate with all of its agencies, determine the overall risks,\n                    prioritize the risks, and develop and implement a time-phased plan to\n                    systematically mitigate risks. With agency cooperation and acceptance\n                    improvements could be made.\n\n                    This report constitutes OIG\xe2\x80\x99s independent evaluation of the Department\xe2\x80\x99s IT\n                    security program and practices as required by the Federal Information\n                    Security Management Act (FISMA).\n\n                    The following summarizes the key matters discussed in exhibit A of this\n                    report, which contains OIG\xe2\x80\x99s responses to questions required by Office of\n                    Management and Budget (OMB) Memorandum No. M-07-19, FY 2007\n                    Reporting Instructions for the Federal Information Security Management Act\n                    and Agency Privacy Management, dated July 25, 2007.\n\n                      \xe2\x80\xa2     Our review disclosed that agencies that had contractor systems\n                            attached to their networks could not provide documentation to\n                            validate that sufficient oversight and evaluation activities were in\n                            place to ensure information systems used or operated by a contractor\n                            of the agency, or other organization on behalf of the agency, met the\n                            requirements of FISMA, OMB, and National Institute of Standards\n                            and Technology (NIST) guidelines.\n\n                      \xe2\x80\xa2     While OCIO made significant improvements in its oversight of the\n                            Departmental inventory records, the process did not include tracking\n                            system interfaces or contractor systems. In addition, guidance\nUSDA/OIG-A/50501-11-FM                                                                    Page i\n\x0c                                          regarding contractor systems had not been developed and provided to\n                                          agencies. A review of 14 system security plans revealed that 6\n                                          systems interfaced with other systems; however, none of those\n                                          interfaces appeared within the official Department inventory.\n                                          System interfaces were not part of the OCIO semi-annual inventory\n                                          reconciliation process, and therefore were not included in the\n                                          Department\xe2\x80\x99s oversight.        In addition, while the semi-annual\n                                          inventory reconciliation did provide good oversight of overall\n                                          systems, it did not differentiate between agency owned and\n                                          contractor systems. As a result, at least one contractor system was\n                                          not recorded in the official Department inventory.\n\n                                   \xe2\x80\xa2      The Department made improvements in its plan of action and\n                                          milestones (POA&M) recording, tracking, and closures. However,\n                                          individual agencies are responsible to accurately input, track, and\n                                          close POA&Ms. Our review disclosed that the agencies did not add\n                                          POA&Ms based on the C&A testing and evaluation for 9 of the 10\n                                          systems we reviewed. In addition, scanning vulnerabilities not\n                                          mitigated within 30 days were not tracked by all six agencies we\n                                          reviewed. In addition, we reviewed 19 closed POA&Ms during this\n                                          review and found 5 were closed improperly and 3 had inadequate\n                                          documentation that the weaknesses had been properly corrected\n                                          and/or mitigated. Based upon our work during the fiscal year, we\n                                          have no assurance that agencies were entering, tracking, and\n                                          adequately closing POA&Ms.\n\n                                   \xe2\x80\xa2      Our review of the Automated Security Self-Evaluation and\n                                          Remediation Tracking (ASSERT) tool disclosed 10 systems that did\n                                          not apply the appropriate risk levels to their systems in accordance\n                                          with Federal guidelines. 1 For instance, one system had two high risk\n                                          security objectives, yet the system was categorized as moderate.\n                                          According to Federal guidelines, any security objective that is high\n                                          defines the system categorization as high. This occurred because\n                                          Department did not always provide adequate oversight of system\n                                          categorization. Without a proper risk level assignment, the agencies\n                                          cannot design their security programs to ensure the appropriate\n                                          security controls are in place to protect the confidentiality, integrity,\n                                          and availability of their systems.\n\n                                   \xe2\x80\xa2      We noted that the C&A process within the Department was not\n                                          adequate. Our detailed review of 10 C&As showed agencies had not\n                                          followed NIST guidance. 2 Specifically, we found (1) nine security\n                                          plans, seven risk assessments, and nine disaster recovery plans that\n\n1\n  Federal Information Processing Standards (FIPS) 199, Standards for Security Categorization of Federal Information and Information\nSystems, dated December 2003.\n2\n  NIST Special Publication 800-37, Guide for the Security Certification and Accreditation of Federal Information Systems, dated May\n2004.\nUSDA/OIG-A/50501-11-FM                                                                                                    Page ii\n\x0c                                           did not follow NIST guidance, and did not provide complete,\n                                           accurate, and consistent information; (2) for three systems the\n                                           independent testing and evaluation processes did not provide\n                                           adequate assurances that controls were in place and operating\n                                           effectively; (3) in nine of the systems controls chosen for continuous\n                                           monitoring had not been documented; and (4) eight systems were\n                                           accredited in spite of serious weaknesses.\n\n                                    \xe2\x80\xa2      The Department had implemented a concurrency review (quality\n                                           assurance program) of agency C&A submissions prior to\n                                           accreditation. Based on our review, the concurrency reviews were\n                                           not providing adequate oversight to ensure that agency system\n                                           documentation met NIST guidance and that agency controls were\n                                           properly safeguarding agency systems and data. We found that the\n                                           concurrency reviews were not denying authority to operate to\n                                           systems that did not have controls in place to protect the system,\n                                           performing followup to ensure weaknesses identified during the\n                                           reviews were mitigated, and/or accurately reviewing agency C&A\n                                           documentation.\n\n                                    \xe2\x80\xa2      Privacy Act implementation within the Department continued to be\n                                           inadequate. We found that in our review of 89 systems, 18 Privacy\n                                           Impact Assessments (PIA) had not been completed and 8 more were\n                                           still in draft. Of the 71 PIAs provided and reviewed, 36 did not meet\n                                           Departmental 3 standards. In addition, the content of the PIAs was\n                                           not always clear and/or information was contradictory regarding the\n                                           usage of personally identifiable information (PII) on those systems.\n                                           If PII information is in the system, a Statement of Record Notice\n                                           (SORN) is required to be published in the Federal Register for any\n                                           new or intended use of personal information. We found that 11 of 38\n                                           required SORNs had not been published. Finally, of eight Privacy\n                                           Act Officers interviewed, none were aware of key requirements such\n                                           as formulating policy, handling privacy incidents, or analyzing\n                                           business flows for privacy implications.\n\n                                    \xe2\x80\xa2      The Department had taken some steps to implement the provisions of\n                                           OMB Memorandum No. M-06-15, but had yet to fully achieve that\n                                           goal. 4 One positive step was the recent granting of a blanket\n                                           purchase agreement to encrypt mobile devices with a planned\n                                           completion date of March 31, 2008. Until this is fully implemented,\n                                           the Department is very susceptible to PII incidents as noted by the 50\n                                           incidents that occurred this fiscal year. In addition, some legacy\n                                           systems within the Department use the social security number as a\n                                           piece of identifying information. Also, we found that there were at\n\n3\n    Departmental Manual (DM) 3515-002, Privacy Impact Assessment, dated February 17, 2005.\n4\n    OMB Memorandum No. M-06-15, Safeguarding Personally Identifiable Information, dated May 22, 2006.\nUSDA/OIG-A/50501-11-FM                                                                                   Page iii\n\x0c                                           least 181 unencrypted wireless access points (AP) at selected\n                                           locations within the Department which could potentially broadcast\n                                           PII in clear text. 5\n\n                                    \xe2\x80\xa2      An adequate Departmental configuration policy did not exist with\n                                           checklists for each operating system. To determine the level of\n                                           security and configurations within the Department, we scanned six\n                                           agencies\xe2\x80\x99 networks using commercially available software to look for\n                                           known security vulnerabilities. In addition, we reviewed the level of\n                                           security software patches that were applied at seven agencies. We\n                                           found that (1) over 700 high risk vulnerabilities were present and\n                                           unmitigated or the acceptance of risk was not documented, and (2)\n                                           over 240,000 patches were not applied to over 26,000 devices. 6 We\n                                           also reviewed the running configurations of network routers,\n                                           switches, and firewalls at six agencies using commercially available\n                                           software. We noted over 900 configuration errors within those\n                                           agencies\xe2\x80\x99 devices. In addition, we noted that some of these agencies\n                                           had stated in their July 2007 scorecard that they were 100 percent\n                                           patched and scanned. Agencies were not reporting their accurate\n                                           security posture in the scorecards and OCIO was not validating the\n                                           information when received.\n\n                                    \xe2\x80\xa2      NIST guidance states that \xe2\x80\x9cwhile the solutions to IT security are\n                                           complex, one basic yet effective tool is the security configuration\n                                           checklist.\xe2\x80\x9d 7 The Department had issued guidance to achieve this\n                                           NIST requirement by issuing checklists for some operating systems. 8\n                                           We reviewed six agencies to determine whether the Department\xe2\x80\x99s\n                                           standard checklists for configuring systems were being used. We\n                                           found checklists were not being used to configure the systems in four\n                                           of six agencies and they could not provide documentation to support\n                                           why the checklists were not used. In addition, checklists were not\n                                           available to the agencies until August 2007 because they had been\n                                           removed from the website and OCIO could not locate them.\n                                           Fortunately, OIG was able to provide copies from our previous audit\n                                           work. Also, as noted in the fiscal year 2006 FISMA audit report, not\n                                           all checklists had been created. As a result, USDA systems were\n                                           vulnerable to many threats, ranging from remotely launched network\n                                           service exploits to malicious code spread through e-mails, malicious\n                                           web sites, and file downloads.\n\n\n\n5\n  In computer networking, a wireless AP is a device that connects wireless communication devices together to form a wireless network.\nThe AP usually connects to a wired network and can relay data between wireless devices and wired devices. APs had Internet Protocol\n(IP) addresses for configuration.\n6\n  High risk vulnerabilities are those which provide access to the computer, and possibly the network of computers.\n7\n  NIST Special Publication 800-70, Security Configuration Checklists Program for IT Products \xe2\x80\x93 Guidance for Checklists Users and\nDevelopers, dated December 2006.\n8\n  DM 3540-002, Risk Assessment and Security Checklists, dated April 19, 2004.\nUSDA/OIG-A/50501-11-FM                                                                                                     Page iv\n\x0c                                  \xe2\x80\xa2      OCIO made progress in tracking incident responses. During the\n                                         fiscal year it implemented the Cyber Security Incident Response\n                                         Management database to facilitate tracking and closeout of incidents.\n                                         The database tracks the ticket number, open and close dates,\n                                         categories of incidents, PII information, and whether the incident was\n                                         forwarded to other Federal agencies. However, we found policies\n                                         and procedures for incident handling were not being followed and\n                                         that incidents were not closed properly or timely, or were not\n                                         reported to necessary authorities. As a result, OCIO had limited\n                                         assurance that incidents were being appropriately and timely reported\n                                         and that security problems were being adequately addressed. We\n                                         reviewed the incident tracking database and found 92 of the 399\n                                         incidents did not have documented closure within 30 days and that\n                                         75 incidents did not have United States Computer Emergency\n                                         Readiness Team (US-CERT) numbers (agency officials stated that\n                                         these were mainly false positives). 9 However, our review found that\n                                         they should have been reported based on the US-CERT category in\n                                         the database. In addition, we found over 100 incidents that had not\n                                         been reported to OIG because OCIO did not have a standard\n                                         distribution list.\n\n                                  \xe2\x80\xa2      The Internet Protocol Address Database (IPAD) is vital to the\n                                         timeliness of incident response. IPAD is the Department\xe2\x80\x99s internet\n                                         protocol (IP) address repository. This tool is used to determine the\n                                         agency and location of the device when an incident occurs. It\n                                         includes agency contact information, and whether PII is present on\n                                         that system.      Although OCIO had made progress in the\n                                         implementation of the IPAD, more work is needed. We found that\n                                         IPAD still did not have a complete and accurate listing of USDA IP\n                                         addresses in the Department\xe2\x80\x99s tracking database for three out of the\n                                         six agencies reviewed. This was due to a lack of management\n                                         commitment to monitor IPAD to ensure that a complete and accurate\n                                         inventory of IP addresses was maintained.\n\n                                  \xe2\x80\xa2      We reviewed e-authentication risk assessments, required by OMB, at\n                                         six agencies. 10    We found one agency that did not use e-\n                                         authentication. Of the remaining five, only one could provide\n                                         documentation to show it had conducted an assessment. The\n                                         agencies were either unaware that a separate risk assessment was\n                                         required or were not aware of a requirement to keep the\n                                         documentation.      Without doing and/or documenting a risk\n                                         assessment for e-authentication there is no assurance that business\n                                         transactions have the required level of verification for authentication.\n\n\n9\n   US-CERT is required to be notified for certain incidents by DM 3505-000, USDA Computer Incident Response Procedures Manual,\ndated March 20, 2006.\n10\n   OMB Memorandum 04-04, E-Authentication Guidance for Federal Agencies, dated December 16, 2003.\nUSDA/OIG-A/50501-11-FM                                                                                               Page v\n\x0c                           Authentication risks with potentially higher consequences require\n                           higher levels of assurance.\n\nRecommendation\nIn Brief           This report presents the results of our audit work in assessing the security\n                   over the Department\xe2\x80\x99s IT resources. The recommendations made to correct\n                   the deficiencies identified in this report have been documented in other\n                   reports and we are not making additional recommendations.\n\n\n\n\nUSDA/OIG-A/50501-11-FM                                                                 Page vi\n\x0cAbbreviations Used in This Report\n\n\nAP                access point\nAPHIS             Animal and Plant Health Inspection Service\nC&A               certification and accreditation\nCCC               Commodity Credit Corporation\nCIO               Chief Information Officer\nDA                Departmental Administration\nDM                Departmental Manual\nFAS               Foreign Agricultural Service\nFIPS              Federal Information Processing Standards\nFISMA             Federal Information Security Management Act\nFNS               Food and Nutrition Service\nFS                Forest Service\nFSA               Farm Service Agency\nFSIS              Food Safety and Inspection Service\nGAO               Government Accountability Office\nGISRA             Government Information Security Reform Act\nIG                Inspector General\nIP                internet protocol\nIPAD              Internet Protocol Address Database\nIT                information technology\nITS               Information Technology Services\nNFC               National Finance Center\nNIST              National Institute of Standards and Technology\nNITC              National Information Technology Center\nNRCS              Natural Resources Conservation Service\nOCFO              Office of the Chief Financial Officer\nOCIO              Office of the Chief Information Officer\nOMB               Office of Management and Budget\nOIG               Office of Inspector General\nPOA&M             plan of action and milestones\nPIA               Privacy Impact Assessment\nPII               personally identifiable information\nRMA               Risk Management Agency\nSORN              Statement of Record Notice\nSP                Special Publication\nUS-CERT           United States Computer Emergency Readiness Team\nUSDA              U.S. Department of Agriculture\n\n\n\n\nUSDA/OIG-A/50501-11-FM                                              Page vii\n\x0cTable of Contents\n\nExecutive Summary .................................................................................................................................i\n\nAbbreviations Used in This Report .....................................................................................................vii\n\nBackground and Objectives ................................................................................................................... 1\n\nScope and Methodology.......................................................................................................................... 4\n\nExhibit A \xe2\x80\x93 OMB Reporting Requirements and USDA OIG Position .............................................. 6\n\n\n\n\nUSDA/OIG-A/50501-11-FM                                                                                                                 Page viii\n\x0cBackground and Objectives\nBackground         Improving the overall management and security of information technology\n                   (IT) resources is a top priority in the U.S. Department of Agriculture\n                   (USDA). As technology has enhanced the ability to share information\n                   instantaneously among computers and networks, it also has made\n                   organizations more vulnerable to unlawful and destructive penetration and\n                   disruption. Insiders with malicious intent, recreational and institutional\n                   hackers, and attacks by intelligence organizations of other countries are just a\n                   few of the threats that pose a risk to the Department\xe2\x80\x99s critical systems and\n                   data.\n\n                   On December 17, 2002, the President signed into law the E-Government Act\n                   (Public Law 107-347), which includes Title III, the Federal Information\n                   Security Management Act (FISMA). FISMA permanently reauthorized the\n                   framework established in the Government Information Security Reform Act\n                   (GISRA) of 2000, which expired in November 2002. FISMA continues the\n                   annual review and reporting requirements introduced in GISRA. In addition,\n                   FISMA includes new provisions aimed at further strengthening the security\n                   of the Federal Government\xe2\x80\x99s information and information systems, such as\n                   the development of minimum standards for agency systems. The National\n                   Institute of Standards and Technology (NIST) has been tasked to work with\n                   agencies in the development of those standards per its statutory role in\n                   providing technical guidance to Federal agencies.\n\n                   FISMA supplements information security requirements established in the\n                   Computer Security Act of 1987, the Paperwork Reduction Act of 1995, and\n                   the Clinger-Cohen Act of 1996, and is consistent with existing information\n                   security guidance issued by the Office of Management and Budget (OMB)\n                   and NIST. Most importantly, however, the provisions consolidate these\n                   separate requirements and guidance into an overall framework for managing\n                   information security and establishing new annual reviews, independent\n                   evaluation, and reporting requirements to help ensure agency implementation\n                   of the Act and both OMB and congressional oversight.\n\n                   FISMA assigns specific responsibilities to OMB, agency heads, Chief\n                   Information Officers (CIO), and Inspectors General (IG).            OMB is\n                   responsible for establishing and overseeing policies, standards, and\n                   guidelines for information security. This includes the authority to approve\n                   agency information security programs. OMB is also required to submit an\n                   annual report to Congress summarizing the results of agencies\xe2\x80\x99 evaluations of\n                   their information security programs.\n\n\n\nUSDA/OIG-A/50501-11-FM                                                                      Page 1\n\x0c                   Each agency must establish an agency-wide risk-based information security\n                   program to be overseen by the agency CIO and ensure that information\n                   security is practiced throughout the lifecycle of each agency system.\n                   Specifically, this program must include:\n\n                         \xe2\x80\xa2   periodic risk assessments that consider internal and external threats\n                             to the integrity, confidentiality, and availability of systems, and to\n                             data supporting critical operations and assets;\n\n                         \xe2\x80\xa2   development and implementation of risk-based, cost-effective\n                             policies and procedures to provide security protections for\n                             information collected or maintained by or for the agency;\n\n                         \xe2\x80\xa2   training on security responsibilities for information security\n                             personnel and on security awareness for agency personnel;\n\n                         \xe2\x80\xa2   periodic management testing and evaluation of the effectiveness of\n                             policies, procedures, controls, and techniques;\n\n                         \xe2\x80\xa2   a process for      identifying   and   remediating   any   significant\n                             deficiencies;\n\n                         \xe2\x80\xa2   procedures for detecting, reporting, and responding to security\n                             incidents; and\n\n                         \xe2\x80\xa2   an annual program review by agency program officials.\n\n                   In addition to the responsibilities listed above, FISMA requires each agency\n                   to have an annual independent evaluation of its information security program\n                   and practices, including control testing and compliance assessment. The\n                   evaluations are to be performed by the agency IG or an independent\n                   evaluator, and the results of these evaluations are to be reported to OMB.\n\nObjectives         The audit objective was to form a basis for conclusion regarding the status of\n                   USDA\xe2\x80\x99s overall IT security program by:\n\n                         \xe2\x80\xa2   evaluating the effectiveness of the Office of the Chief Information\n                             Officer\xe2\x80\x99s (OCIO) oversight role of agency CIOs and FISMA\n                             compliance;\n\n                         \xe2\x80\xa2   determining whether agencies have maintained an adequate system\n                             of internal controls over IT assets in accordance with FISMA and\n                             other appropriate laws and regulations;\n\n\n\nUSDA/OIG-A/50501-11-FM                                                                      Page 2\n\x0c                         \xe2\x80\xa2   evaluating OCIO\xe2\x80\x99s progress in establishing a Departmentwide\n                             security program;\n\n                         \xe2\x80\xa2   evaluating the agencies\xe2\x80\x99 and OCIO\xe2\x80\x99s plan of action and milestones\n                             consolidation and reporting processes;\n\n                         \xe2\x80\xa2   reviewing Privacy Act implementation and oversight; and\n\n                         \xe2\x80\xa2   reviewing the adequacy of e-authentication risk assessments.\n\n\n\n\nUSDA/OIG-A/50501-11-FM                                                                      Page 3\n\x0cScope and Methodology\n                             The scope of our review was Departmentwide and agency audits relating to IT\n                             completed during fiscal year 2007. We conducted this performance audit in\n                             accordance with generally accepted Government Auditing Standards. Those\n                             standards require that we plan and perform the audit to obtain sufficient,\n                             appropriate evidence to provide a reasonable basis for our findings and\n                             conclusions based on our audit objectives. We believe that the evidence obtained\n                             provides a reasonable basis for our findings and conclusions based on our audit\n                             objectives.\n\n                             Fieldwork for this audit was performed at the Department OCIO from June\n                             through September 2007. In addition, the results of IT control testing and\n                             compliance with laws and regulations performed by contract auditors at three\n                             additional agencies are included in this report. Further, the results of our most\n                             recent general control and application control reviews were considered and\n                             incorporated into this report. In total, our fiscal year 2007 audit work covered\n                             12 agencies and/or staff offices: Animal and Plant Health Inspection Service\n                             (APHIS), Agricultural Marketing Service (AMS), Agricultural Research Service\n                             (ARS), Food and Nutrition and Service (FNS), Food Safety and Inspection\n                             Service (FSIS), Foreign Agricultural Service (FAS), Forest Service (FS), Farm\n                             Service Agency (FSA), Natural Resources Conservation Service (NRCS), Office\n                             of the Chief Financial Officer (OCFO), OCIO, and Risk Management Agency.\n                             These agencies and staff offices operate approximately 216 of the OCIO\n                             estimated 259 general support and major application systems within the\n                             Department. 11\n\n                             To accomplish our audit objectives, we performed the following procedures at\n                             Headquarters and selected field offices.\n\n                                  \xe2\x80\xa2    Consolidated the results and issues from our prior IT security audit work.\n                                       Our audit work consisted primarily of audit procedures found in the U.S.\n                                       Government Accountability Office (GAO) Financial Information System\n                                       Control Audit Manual.\n\n                                  \xe2\x80\xa2    Evaluated OCIO\xe2\x80\x99s progress in implementing recommendations to correct\n                                       material weaknesses identified in prior Office of Inspector General\n                                       (OIG) and GAO audit reports.\n\n                                  \xe2\x80\xa2    Gathered the necessary information to address the specific reporting\n                                       requirements outlined in OMB Memorandum No. M-07-19, dated July\n                                       25, 2007.\n\n\n\n11\n  The Department identified 259 systems in its plan of action and milestones system as of August 6, 2007.\nUSDA/OIG-A/50501-11-FM                                                                                      Page 4\n\x0c                                \xe2\x80\xa2   Performed detailed testing specific to FISMA requirements at selected\n                                    agencies as detailed in this report. 12\n\n\n\n\n12\n     Those agencies were APHIS, ARS, AMS, FAS, FNS and NRCS.\nUSDA/OIG-A/50501-11-FM                                                                               Page 5\n\x0cExhibit A \xe2\x80\x93 OMB Reporting Requirements and USDA OIG Position\n                                                                            Exhibit A \xe2\x80\x93 Page 1 of 16\n\nSection C: Inspector General Questions\n\n1. As required in FISMA, the IG shall evaluate a representative subset of systems used or\n   operated by an agency or by a contractor of an agency or other organization on behalf of an\n   agency.\n\n   Agency systems shall include information systems used or operated by an agency.\n   Contractor systems shall include information systems used or operated by a contractor of an\n   agency or other organization on behalf of an agency. The total number of systems shall\n   include both agency systems and contractor systems.\n\n   Agencies are responsible for ensuring the security of information systems used by a\n   contractor of their agency or other organization on behalf of their agency; therefore,\n   self-reporting by contractors does not meet the requirements of law. Self-reporting by\n   another Federal agency, for example, a Federal service provider, may be sufficient. Agencies\n   and service providers have a shared responsibility for FISMA compliance.\n\n   (See table on next page.)\n\n\n\n\nUSDA/OIG-A/50501-11-FM                                                                     Page 6\n\x0cExhibit A \xe2\x80\x93 OMB Reporting Requirements and USDA OIG Position\n                                                                                                              Exhibit A \xe2\x80\x93 Page 2 of 16\n\n2. For the Total Number of Systems reviewed by Component/Bureau and Federal Information\n   Processing Standards (FIPS) Systems Impact Level in the table for Question 1, identify the\n   number and percentage of systems which have a current certification and accreditation,\n   security controls tested and reviewed within the past year, and a contingency plan tested in\n   accordance with policy.\n\n                                                   Question 1.                           Question 2. \xe2\x80\x93 Agency Reported\n                                                                     1.c.                             2.b. 14           2.c. 15\n                                                                Fiscal year                        Number of         Number of\n                                                       1.b.         2007                       systems for which systems for which\n                                                                                      13\n                                                   Fiscal year Total Number       2.a           security controls contingency plans\n                                         1.a.         2007      of Systems     Number of        have been tested have been tested\n      Bureau Name\n                     FIPS 199     Fiscal year 2007 Contractor (Agency and systems certified and evaluated in in accordance\n           (OIG\n                  System Impact Agency Systems. Systems. As Contractor       and accredited the past year. As        with policy.\n        Reviewed)\n                       Level        As of 8/6/07    of 8/6/07    systems)     As of 9/17/07        of 9/17/07       As of 8/24/07\n                                                            #                      Percent of           Percent of       Percent of\n                                  Total # # Rev. Total # Rev Total # # Rev Total # Total Total # Total Total # Total\n                                      1        0     0      0     1        0  0          0%       0          0%    *N/R       *N/R\n     1. FS                   High\n                                     14        13    0      0    14       13  1          7%       0          0%    *N/R       *N/R\n                        Moderate\n                                      2        1     0      0     2        1  1        50%        0          0%    *N/R       *N/R\n                             Low\n                                     17        14    0      0    17       14  2        12%        0          0%    *N/R       *N/R\n                  Sub-total\n                                      4        3     0      0     4        3  4        100%       0          0%    *N/R       *N/R\n     2. FSIS                 High\n                                      8        7     0      0     8        7  8        100%       1         13%    *N/R       *N/R\n                        Moderate\n                                      1        1     0      0     1        1  1        100%       0          0%    *N/R       *N/R\n                             Low\n                                     13        11    0      0    13       11  13       100%       1          8%    *N/R       *N/R\n                  Sub-total\n                                      0        0     0      0     0        0 N/A        N/A      N/A        N/A    *N/R       *N/R\n     3. RMA                  High\n                                     17        3     0      0    17        3  1          6%       1          6%    *N/R       *N/R\n                        Moderate\n                                      1        0     0      0     1        0  0          0%       0          0%    *N/R       *N/R\n                             Low\n                                     18        3     0      0    18        3  1          6%       1          6%    *N/R       *N/R\n                  Sub-total\n                                      4        3     0      0     4        3  4        100%       3         75%    *N/R       *N/R\n     4. OCFO-NFC             High\n                                      9        2     0      0     9        2  6        67%        4         44%    *N/R       *N/R\n                        Moderate\n                                      0        0     0      0     0       0  N/A        N/A      N/A        N/A    *N/R       *N/R\n                             Low\n                                     13        5     0      0    13        5  10       77%        7         54%    *N/R       *N/R\n                  Sub-total\n\n\n\n\n13\n   These numbers come from the OCIO as of September 17, 2007, and identified systems that had under gone a C&A. These do not\ninclude systems with an Interim Authority to Operate or 86 systems scheduled to undergo a completed C&A by September 30, 2007. For\nan assessment of the quality of the C&A process, see Question 5.\n14\n   OIG cannot determine an accurate number of systems that have self-assessments completed. We reviewed self-assessments done in six\nagencies (APHIS, ARS, AMS, FAS, NRCS, and FNS) and found that all six could not provide documentation of testing on any controls\nnot undergoing the C&A process. Numbers, therefore, are those C&A\xe2\x80\x99d in 2007.\n15\n   The numbers here are based solely on work performed by OIG for our six selected agencies. *N/R means we did not review that\nagency.\nUSDA/OIG-A/50501-11-FM                                                                                                         Page 7\n\x0cExhibit A \xe2\x80\x93 OMB Reporting Requirements and USDA OIG Position\n                                                                                                              Exhibit A \xe2\x80\x93 Page 3 of 16\n\n\n                                               Question 1.                          Question 2. \xe2\x80\x93 Agency Reported\n                                                                1.c.                             2.b. 17           2.c. 18\n                                                           Fiscal year                        Number of         Number of\n                                                  1.b.         2007                       systems for which systems for which\n                                              Fiscal Year Total Number       2.a 16        security controls contingency plans\n                                    1.a.         2007      of Systems     Number of        have been tested have been tested\n Bureau Name\n                FIPS 199     Fiscal Year 2007 Contractor (Agency and systems certified and evaluated in in accordance\n     (OIG\n             System Impact Agency Systems. Systems. As Contractor       and accredited the past year. As        with policy.\n   Reviewed)\n                  Level        As of 8/6/07    of 8/6/07    systems)     As of 9/17/07        of 9/17/07       As of 8/24/07\n                                                       #                      Percent of           Percent of       Percent of\n                              Total # # Rev. Total # Rev Total # # Rev Total # Total Total # Total Total # Total\n                                 6        3     0      0     6       3    1       17%        0          0%    *N/R       *N/R\n5. OCIO                 High\n                                14        1     0      0    14       1    7       50%        5         36%    *N/R       *N/R\n                   Moderate\n                                 7        2     0      0     7       2    2       29%        1         14%    *N/R       *N/R\n                        Low\n                                27        6     0      0    27       6   10       37%        6         22%    *N/R       *N/R\n             Sub-total\n                                 0        0     0      0     0       0  N/A        N/A      N/A        N/A    *N/R       *N/R\n6. FSA                  High\n                                22        2     0      0    22       2    6       27%        6         27%    *N/R       *N/R\n                   Moderate\n                                 3        0     0      0     3       0    0         0%       0          0%    *N/R       *N/R\n                        Low\n                                25        2     0      0    25       2    6       24%        6         24%    *N/R       *N/R\n             Sub-total\n7. AMS                     High   0       0       0      0     0      0     N/A     N/A      N/A      N/A     N/A      N/A\n\n                     Moderate     3       3       0      0     3      3      3      100%      3      100%       0      0%\n\n                           Low    16      16      0      0    16      16    16      100%      16     100%       0      0%\n\n               Sub-total          19      19      0      0    19      19    19      100%      19     100%       0      0%\n\n8.ARS                      High   0       0       0      0     0      0     N/A     N/A      N/A      N/A     N/A      N/A\n\n                     Moderate     0       0       0      0     0      0     N/A     N/A      N/A      N/A     N/A      N/A\n\n                           Low    15      15      0      0    15      15     8      53%       8      53%        0      0%\n\n               Sub-total          15      15      0      0    15      15     8      53%       8      53%        0      0%\n\n9.APHIS                    High   6       1       0      0     6      1      5      83%       0       0%        0      0%\n\n                     Moderate     22      15      1      0    23      15    15      65%       2       9%        5      33%\n\n                           Low    9       5       0      0     9      5      3      33%       0       0%        1      20%\n\n               Sub-total          37      21      1      0    38      21    23      61%       2       5%        6      29%\n\n\n\n\n16\n   These numbers come from the OCIO as of September 17, 2007, and identified systems that had under gone a C&A. These do not\ninclude systems with an Interim Authority to Operate or 86 systems scheduled to undergo a completed C&A by September 30, 2007. For\nan assessment of the quality of the C&A process, see Question 5.\n17\n   OIG cannot determine an accurate number of systems that have self-assessments completed. We reviewed self-assessments done in six\nagencies (APHIS, ARS, AMS, FAS, NRCS, and FNS) and found that all six could not provide documentation of testing on any controls\nnot undergoing the C&A process. Numbers, therefore, are those C&A\xe2\x80\x99d in 2007.\n18\n   The numbers here are based solely on work performed by OIG for our six selected agencies. *N/R means we did not review that\nagency.\nUSDA/OIG-A/50501-11-FM                                                                                                           Page 8\n\x0cExhibit A \xe2\x80\x93 OMB Reporting Requirements and USDA OIG Position\n                                                                                                             Exhibit A \xe2\x80\x93 Page 4 of 16\n\n                                             Question 1.                            Question 2. \xe2\x80\x93 Agency Reported\n                                                                                                2.b. 20\n                                                              1.c.                           Number of              2.c. 21\n                                                          Fiscal Year                        systems for         Number of\n                                               1.b.          2007                          which security    systems for which\n                                           Fiscal Year Total Number        2.a 19           controls have    contingency plans\n                                 1.a.          2007       of Systems    Number of          been tested and    have been tested\nBureau Name   FIPS 199    Fiscal Year 2007 Contractor    (Agency and systems certified    evaluated in the     in accordance\n   (OIG     System Impact Agency Systems. Systems. As of Contractor   and accredited      past year. As of      with policy.\n Reviewed)       Level      As of 8/6/07      8/6/07       systems)    As of 9/17/07           9/17/07          As of 8/24/07\n                                                     #                        Percent              Percent           Percent of\n                           Total # # Rev. Total # Rev Total # # Rev Total # of Total      Total # of Total   Total # Total\n10. FAS                   High    0     0        0         0   0      0    N/A     N/A     N/A     N/A        N/A      N/A\n                                  3     3        0         0    3     3     0      0%       0       0%          3      100%\n                      Moderate\n                                  0     0        0         0   0      0    N/A     N/A     N/A     N/A        N/A      N/A\n                          Low\n                                  3     3        0         0    3     3     0      0%       0       0%          3      100%\n              Sub-total\n                                  0     0        0         0   0      0    N/A     N/A     N/A     N/A        N/A      N/A\n11. FNS                   High\n                                  7     2        4         1   11     3     11    100%      5      45%          1      33%\n                      Moderate\n                                  1     1        0         0    1     1     1     100%      0       0%          0       0%\n                          Low\n                                  8     3        4         1   12     4     12    100%      5      42%          1      25%\n              Sub-total\n                                  0     0        0         0   0      0    N/A     N/A     N/A     N/A        N/A      N/A\n12. NRCS                  High\n                                  3     3        0         0    3     3     3     100%      3      100%         3      100%\n                      Moderate\n                                  0     0        0         0   0      0    N/A     N/A     N/A     N/A        N/A      N/A\n                          Low\n                                  3     3        0         0    3     3     3     100%      3      100%         3      100%\n              Sub-total\n                                  0     0        0         0   0      0    N/A     N/A     N/A     N/A       *N/R      *N/R\n13. OCFO-FS               High\n                                 13     3        0         0   13     3     11     85%      11     85%       *N/R      *N/R\n                      Moderate\n                                  0     0        0         0   0      0    N/A     N/A     N/A     N/A       *N/R      *N/R\n                          Low\n                                 13     3        0         0   13     3     11     85%      11     85%       *N/R      *N/R\n              Sub-total\nTotals                    High   21     10       0         0   21    10     14     67%      3      14%\n\n                      Moderate   135    57       5         1   140   58     72     51%      41     29%\n\n                          Low    55     41       0         0   55    41     32     58%      25     45%\n\n              Total              211   108       5         1   216   109   118     55%      69     32%\n\n\n\n\n19\n   These numbers come from the OCIO as of September 17, 2007, and identified systems that had under gone a C&A. These do not\ninclude systems with an Interim Authority to Operate or 86 systems scheduled to undergo a completed C&A by September 30, 2007. For\nan assessment of the quality of the C&A process, see Question 5.\n20\n   OIG cannot determine an accurate number of systems that have self-assessments completed. We reviewed self-assessments done in six\nagencies (APHIS, ARS, AMS, FAS, NRCS, and FNS) and found that all six could not provide documentation of testing on any controls\nnot undergoing the C&A process. Numbers, therefore, are those C&A\xe2\x80\x99d in 2007.\n21\n   The numbers here are based solely on work performed by OIG for our six selected agencies. *N/R means we did not review that\nagency.\nUSDA/OIG-A/50501-11-FM                                                                                                            Page 9\n\x0cExhibit A \xe2\x80\x93 OMB Reporting Requirements and USDA OIG Position\n                                                                               Exhibit A \xe2\x80\x93 Page 5 of 16\n\n3.   Evaluation of Agency Oversight of Contractor Systems and Quality of Agency System\n     Inventory\n\n     a. The agency performs oversight and evaluation to ensure information systems used or\n        operated by a contractor of the agency or other organization on behalf of the agency\n        meet the requirements of FISMA, OMB policy and NIST guidelines, national security\n        policy, and agency policy. (OIG\xe2\x80\x99s Response is underlined below.)\n\n        Agencies are responsible for ensuring the security of information systems used by a\n        contractor of their agency or other organization on behalf of their agency; therefore,\n        self reporting by contractors does not meet the requirements of law. Self-reporting by\n        another Federal agency, for example, a Federal service provider may be sufficient.\n        Agencies and service providers have a shared responsibility for FISMA compliance.\n\n        Response Categories:\n\n        \xe2\x80\xa2   Rarely, for example, approximately 0-50 percent of the time\n        \xe2\x80\xa2   Sometimes, for example, approximately 51-70 percent of the time\n        \xe2\x80\xa2   Frequently, for example, approximately 71-80 percent of the time\n        \xe2\x80\xa2   Mostly, for example, approximately 81-95 percent of the time\n        \xe2\x80\xa2   Almost Always, for example, approximately 96-100 percent of the time\n\n        Our review showed that agencies that had contractor systems attached to their networks\n        could not provide documentation to validate that sufficient oversight and evaluation\n        activities were in place to ensure information systems used or operated by a contractor of\n        the agency, or other organization on behalf of the agency, met the requirements of FISMA,\n        OMB, and NIST guidelines. This occurred because the Department did not have written\n        policies or procedures in place to provide guidance to the agencies for oversight of\n        contractor systems. In addition, the agencies had not developed written agency policies and\n        procedures for contractor oversight and evaluation. Consequently, the Department cannot\n        be assured of the security over contractor systems.\n\n     b. The agency has developed complete inventory of major information systems\n        (including major national security systems) operated by or under the control of such\n        agency, including an identification of the interfaces between each such system and all\n        other systems or networks, including those not operated by or under the control of the\n        agency.\n\n        Response Categories:\n\n        \xe2\x80\xa2   The inventory is approximately 0-50 percent complete\n        \xe2\x80\xa2   The inventory is approximately 51-70 percent complete\nUSDA/OIG-A/50501-11-FM                                                                       Page 10\n\x0cExhibit A \xe2\x80\x93 OMB Reporting Requirements and USDA OIG Position\n                                                                                                          Exhibit A \xe2\x80\x93 Page 6 of 16\n\n\n              \xe2\x80\xa2   The inventory is approximately 71-80 percent complete\n              \xe2\x80\xa2   The inventory is approximately 81-95 percent complete\n              \xe2\x80\xa2   The inventory is approximately 96-100 percent complete\n\n              While OCIO made significant improvements in their oversight of the Departmental\n              inventory records, the process did not include tracking system interfaces or contractor\n              systems. In addition, guidance regarding contractor systems had not been developed and\n              provided to agencies. A review of 14 system security plans revealed that 6 systems\n              interfaced with other systems; however, none of those interfaces appeared within the\n              official Department inventory. System interfaces were not part of the OCIO semi-annual\n              inventory reconciliation process, and therefore were not included in the Department\xe2\x80\x99s\n              oversight. In addition, while the semi-annual inventory reconciliation did provide good\n              oversight of overall systems, it did not differentiate between agency owned and contractor\n              systems. As a result, at least one contractor system was not identified as belonging to a\n              contractor in the official Department inventory. Another system was questioned by OIG as\n              to whether it should be a contractor system, but because of the lack of a clear definition,\n              neither the agency nor OIG could make that determination. We considered the system\n              inventory to be accurate. However, we considered the interfaces to be only 25 percent\n              accurate. Therefore, we are assigning inventory with an overall 75 percent completion\n              percentage.\n\n              Our review of the Automated Security Self-Evaluation and Remediation Tracking\n              (ASSERT) tool disclosed 10 systems that did not apply the appropriate risk levels to their\n              systems in accordance with Federal guidelines 22 . For instance, one system had two high\n              risk security objectives, yet the system was categorized as moderate. According to Federal\n              guidelines, any security objective that is high defines the system categorization as high.\n              This occurred because Department did not always provide adequate oversight of system\n              categorization. Without a proper risk level assignment, the agencies cannot design their\n              security programs to ensure the appropriate security controls are in place to protect the\n              confidentiality, integrity, and availability of their systems.\n\n         c. The IG generally agrees with the CIO on the number of agency-owned systems. Yes or\n            No.\n\n              As noted in 3b above, OCIO had made significant improvements in its processes. OIG\n              concurs with the number of systems in the Departmental inventory.\n\n\n\n\n22\n  Federal Information Processing Standards (FIPS) 199, Standards for Security Categorization of Federal Information and Information\nSystems, dated December 2003.\nUSDA/OIG-A/50501-11-FM                                                                                                  Page 11\n\x0cExhibit A \xe2\x80\x93 OMB Reporting Requirements and USDA OIG Position\n                                                                              Exhibit A \xe2\x80\x93 Page 7 of 16\n\n     d. The OIG generally agrees with the CIO on the number of information systems used or\n        operated by a contractor of the agency or other organization on behalf of the agency.\n        Yes or No.\n\n        As noted in 3b above, we found a missing contractor system and confusion within the\n        Department as to an accurate definition of a contractor system. Therefore, we could not\n        determine that an accurate inventory of contractor systems existed within the Department.\n\n     e. The agency inventory is maintained and updated at least annually. Yes or No.\n\n        As noted in 3b above, OCIO had made significant improvements in its processes. The\n        Department had been doing a semi-annual review of inventory.\n\n        f. If the agency IG does not evaluate the agency\xe2\x80\x99s inventory as 96 percent-100\n        percent complete, please identify the known missing systems by Component/Bureau,\n        the Unique Project Identifier associated with the system as presented in your FY 2008\n        Exhibit 53 (if known), and indicate if the system is an agency or contractor system.\n\n        As noted above, OIG concurs with the total number of systems, but the tracking of\n        interfaces within the inventory system was inadequate. The systems were accurately\n        entered into the inventory system but we had no assurance that a complete listing of\n        interfaces had been documented.\n\n4.   Assess whether the agency has developed, implemented, and is managing an agency\xe2\x80\x93wide\n     plan of action and milestones (POA&M) process. Evaluate the degree to which each\n     statement reflects the status in your agency by choosing from the responses provided. If\n     appropriate or necessary, include comments in the area provided.\n\n     For each statement in items 4a through 4f, select the response categories that best reflects\n     the agency\xe2\x80\x99s status. (OIG\xe2\x80\x99s Response is underlined below.)\n\n     a. The POA&M is an agency-wide process, incorporating all known IT security\n        weaknesses associated with information systems used or operated by the agency or by\n        a contractor of the agency or other organization on behalf of the agency.\n\n        Response Categories:\n\n        \xe2\x80\xa2   Rarely, for example, approximately 0-50 percent of the time\n        \xe2\x80\xa2   Sometimes, for example, approximately 51-70 percent of the time\n        \xe2\x80\xa2   Frequently, for example, approximately 71-80 percent of the time\n        \xe2\x80\xa2   Mostly, for example, approximately 81-95 percent of the time\n        \xe2\x80\xa2   Almost Always, for example, approximately 96-100 percent of the time\n\nUSDA/OIG-A/50501-11-FM                                                                      Page 12\n\x0cExhibit A \xe2\x80\x93 OMB Reporting Requirements and USDA OIG Position\n                                                                              Exhibit A \xe2\x80\x93 Page 8 of 16\n\n\n\n        The Department had made improvements in this area. However, it is up to the agencies to\n        accurately input, track, and close POA&Ms. During fiscal year 2007, OCIO began working\n        with the Office of the Chief Financial Officer on a comprehensive process for POA&M\n        closure. This effort concentrated mainly on financial systems within the Department. An\n        essential driver for this process is that actions are undertaken to adequately close the\n        POA&M. To achieve this goal, the Department initiated a Quality Assurance Working\n        Group late in the fiscal year to provide independent verification and validation of\n        documentation submitted to support agency requests to close IT security vulnerabilities.\n        These new actions should improve the POA&M process.\n\n        Although improvements have been made, it will take time for the processes to mitigate the\n        issues OIG and the Department have found. OCIO issued a report on June 20, 2007, based\n        on its review of the closure of POA&Ms by several agencies within the Department.\n        Twenty-four POA&Ms were selected from a total of 461 closed from October 1, 2005, to\n        September 30, 2006. OCIO found that the documentation lacked sufficient detail to show\n        that the systemic cause of the POA&M weakness had been corrected. Further, agencies did\n        not maintain support to show that an internal control was placed in operation to prevent\n        recurrence of the weakness, or that the control was sufficiently tested for effectiveness\n        before closing a POA&M.\n\n        In addition, our reviews during fiscal year 2007 identified areas where POA&Ms were not\n        being developed and entered into the tracking tool to report known IT security weaknesses.\n        Details are shown below.\n\n         \xe2\x80\xa2   POA&Ms were not added for weaknesses identified during security testing and\n             evaluation performed on 9 of the 10 C&A packages we reviewed.\n\n         \xe2\x80\xa2   All six agencies in our review had not created POA&Ms for identified scanning\n             vulnerabilities that were open more than 30 days as required by Departmental\n             guidance.\n\n         \xe2\x80\xa2   Two agencies did not create POA&Ms as a result of weaknesses identified during\n             OCIO security reviews.\n\n        In addition, we reviewed 19 closed POA&Ms during this review and found 5 were closed\n        improperly and 3 had inadequate documentation that the weaknesses had been properly\n        corrected and/or mitigated. Based upon our work during the fiscal year, we have no\n        assurance that agencies were entering, tracking, and adequately closing POA&Ms.\n\n\n\n\nUSDA/OIG-A/50501-11-FM                                                                      Page 13\n\x0cExhibit A \xe2\x80\x93 OMB Reporting Requirements and USDA OIG Position\n                                                                              Exhibit A \xe2\x80\x93 Page 9 of 16\n\n     b. When an IT security weakness is identified, program officials (including CIOs, if they\n        own or operate a system) develop, implement, and manage POA&Ms for their\n        system(s).\n\n        Response Categories:\n\n        \xe2\x80\xa2   Rarely, for example, approximately 0-50 percent of the time\n        \xe2\x80\xa2   Sometimes, for example, approximately 51-70 percent of the time\n        \xe2\x80\xa2   Frequently, for example, approximately 71-80 percent of the time\n        \xe2\x80\xa2   Mostly, for example, approximately 81-95 percent of the time\n        \xe2\x80\xa2   Almost Always, for example, approximately 96-100 percent of the time\n\n        See response to 4a above.\n\n     c. Program officials and contractors report their progress on security weakness\n        remediation to the CIO on a regular basis (at least quarterly).\n\n        Response Categories:\n\n        \xe2\x80\xa2   Rarely, for example, approximately 0-50 percent of the time\n        \xe2\x80\xa2   Sometimes, for example, approximately 51-70 percent of the time\n        \xe2\x80\xa2   Frequently, for example, approximately 71-80 percent of the time\n        \xe2\x80\xa2   Mostly, for example, approximately 81-95 percent of the time\n        \xe2\x80\xa2   Almost Always, for example, approximately 96-100 percent of the time\n\n     Although the agencies reported their progress on security weakness remediation on a monthly\n     basis, as noted above in 4a, we can give no assurance that the reporting is accurate.\n\n     d. Agency CIO centrally tracks, maintains, and reviews POA&M activities on at least a\n        quarterly basis.\n\n        Response Categories:\n\n        \xe2\x80\xa2   Rarely, for example, approximately 0-50 percent of the time\n        \xe2\x80\xa2   Sometimes, for example, approximately 51-70 percent of the time\n        \xe2\x80\xa2   Frequently, for example, approximately 71-80 percent of the time\n        \xe2\x80\xa2   Mostly, for example, approximately 81-95 percent of the time\n        \xe2\x80\xa2   Almost Always, for example, approximately 96-100 percent of the time\n\n\n\n\nUSDA/OIG-A/50501-11-FM                                                                      Page 14\n\x0cExhibit A \xe2\x80\x93 OMB Reporting Requirements and USDA OIG Position\n                                                                               Exhibit A \xe2\x80\x93 Page 10 of 16\n\n        As noted above, OCIO centrally maintains, tracks, and reviews POA&Ms on a monthly\n        basis. In addition, OCIO reviews (on a monthly basis) the status of corrective actions on\n        POA&Ms and any late completion dates are discussed with agency CIOs. However, based\n        on our findings in 4a, we cannot assure that the reporting by the agencies to the Department\n        is accurate. The Department has put significant effort into correcting these deficiencies.\n\n     e. IG findings are incorporated into the POA&M process.\n\n        Response Categories:\n\n        \xe2\x80\xa2   Rarely, for example, approximately 0-50 percent of the time\n        \xe2\x80\xa2   Sometimes, for example, approximately 51-70 percent of the time\n        \xe2\x80\xa2   Frequently, for example, approximately 71-80 percent of the time\n        \xe2\x80\xa2   Mostly, for example, approximately 81-95 percent of the time\n        \xe2\x80\xa2   Almost Always, for example, approximately 96-100 percent of the time\n\n        OCIO made significant improvement determining whether POA&Ms for OIG findings\n        were in the tracking system. Audit findings were tracked in the POA&Ms we reviewed.\n\n     f. POA&M process prioritizes IT security weaknesses to help ensure significant IT\n        security weaknesses are addressed in a timely manner and receive appropriate\n        resources.\n\n        Response Categories:\n\n        \xe2\x80\xa2   Rarely, for example, approximately 0-50 percent of the time\n        \xe2\x80\xa2   Sometimes, for example, approximately 51-70 percent of the time\n        \xe2\x80\xa2   Frequently, for example, approximately 71-80 percent of the time\n        \xe2\x80\xa2   Mostly, for example, approximately 81-95 percent of the time\n        \xe2\x80\xa2   Almost Always, for example, approximately 96-100 percent of the time\n\n        As noted in 4a above, OCIO had made progress with regard to financial systems within the\n        Department. However, the POA&M tracking system does not have the capability to\n        prioritize IT weaknesses.\n\n5.   Provide a qualitative assessment of the agency\xe2\x80\x99s certification and accreditation process,\n     including adherence to existing policy, guidance, and standards. Provide narrative\n     comments as appropriate. (OIG\xe2\x80\x99s Response is underlined below.)\n\n     Agencies shall follow NIST Special Publication (SP) 800-37, Guide for the Security\n     Certification and Accreditation of Federal Information Systems, dated May 2004, for\n\nUSDA/OIG-A/50501-11-FM                                                                        Page 15\n\x0cExhibit A \xe2\x80\x93 OMB Reporting Requirements and USDA OIG Position\n                                                                                                             Exhibit A \xe2\x80\x93 Page 11 of 16\n\n            certification and accreditation work initiated after May 2004. This includes use of the\n            FIPS 199, Standards for Security Categorization of Federal Information and Information\n            Systems, dated February 2004, to determine a system impact level, as well as associated\n            NIST documents used as guidance for completing risk assessments and security plans.\n\n            a. The IG rates the overall quality of the Agency\xe2\x80\x99s certification and accreditation\n               process.\n\n                 Response Categories:\n\n                 -Excellent\n                 -Good\n                 -Satisfactory\n                 -Poor\n                 -Failing\n\n            b. The IG quality rating included or considered the following aspects of the C&A\n               process.\n\n                 (Check all that apply.)\n\n                   Security plan                                                                                         X\n                   System impact level                                                                                   X\n                   System test and evaluation                                                                            X\n                   Security control testing                                                                              X\n                   Incident handling                                                                                     X\n                   Security awareness training                                                                           X\n                   Configurations/patching                                                                               X\n                   Other: Contingency/Disaster Recovery/Risk Assessments                                                 X\n\n                 C&A process comments:\n\n                 The Department made improvements in the C&A process. We reviewed 10 C&As and\n                 found 1 that met NIST guidance. 23 In addition, we found an improved independent testing\n                 and evaluation process. Although improvements were made, we found that the process was\n                 still not adequate. Our review of the other nine C&As showed that agencies had not\n                 followed NIST guidance. Specifically, we found (1) nine security plans, seven risk\n                 assessments, and nine disaster recovery plans that did not follow NIST guidance, and did\n                 not provide complete, accurate, and consistent information; (2) three C&As where the\n                 processes did not provide adequate assurances that controls were in place and operating\n\n23\n     NIST SP 800-37, Guide for the Security Certification and Accreditation of Federal Information Systems, dated May 2004.\nUSDA/OIG-A/50501-11-FM                                                                                                        Page 16\n\x0cExhibit A \xe2\x80\x93 OMB Reporting Requirements and USDA OIG Position\n                                                                              Exhibit A \xe2\x80\x93 Page 12 of 16\n\n        effectively; (3) nine systems where controls chosen for continuous monitoring were not\n        documented; and (4) eight systems that were accredited in spite of serious weaknesses.\n        This was caused by a general lack of agency oversight and commitment to security. As a\n        result, not all system controls may have been documented and tested, and systems may be\n        at risk if controls were not implemented effectively.\n\n        Also, the Department had implemented a quality assurance program known as a\n        concurrency review to assess agency C&A submissions, prior to accreditation. But based\n        on our review, OCIO concurrency reviews were not providing adequate oversight to ensure\n        that agency system documentation met NIST guidance and that controls were properly\n        safeguarding agency systems and data. We found concurrency reviews were not adequately\n        reviewing agency C&A documentation, denying authority to operate for systems that did\n        not have controls in place to protect the system, and/or performing followup to ensure\n        weaknesses identified during the reviews were mitigated. OCIO stated that it did not have\n        adequate resources to perform concurrency reviews on a large number of Departmental\n        systems in a small amount of time. In addition, concurrency review procedures were in\n        draft. As a result, USDA can not be assured that all system controls have been documented\n        and tested, and systems are operating at an acceptable level of risk if controls were not\n        implemented effectively.\n\n6.   IG Assessment of Agency Privacy Program and Privacy Impact Assessment Process\n\n     a. Provide a qualitative assessment of the agency\xe2\x80\x99s Privacy Impact Assessment (PIA)\n        process, as discussed in Section D II.4, including adherence to existing policy,\n        guidance, and standards. (OIG\xe2\x80\x99s Response is underlined below.)\n\n        Response Categories:\n\n        -Excellent\n        -Good\n        -Satisfactory\n        -Poor\n        -Failing\n\n        Comments:\n\n        During fiscal year 2007, OCIO conducted a review of agency Privacy Act documentation.\n        Its review noted that of 215 PIAs, only 98 followed the correct format and provided\n        adequate responses. Of the remaining PIAs, 78 needed corrections and/or additions and 43\n        did not follow the correct format. In addition, of the 215 PIAs reviewed, 40 systems that\n        indicated personally identifiable information (PII) was present did not have a reference to\n        and/or a published Statement of Record Notice (SORN), as required.\n\nUSDA/OIG-A/50501-11-FM                                                                       Page 17\n\x0cExhibit A \xe2\x80\x93 OMB Reporting Requirements and USDA OIG Position\n                                                                                                          Exhibit A \xe2\x80\x93 Page 13 of 16\n\n              We also reviewed the Privacy Act implementation within the Department and came to a\n              similar conclusion. The Department required a PIA for all systems. We found that in our\n              review of 89 systems, 18 PIAs had not been completed and 8 more were still in draft. Of\n              the 71 PIAs provided and reviewed, 36 did not meet Departmental standards by failing to\n              include required questions. 24 In addition, the content of the PIAs were not always clear\n              and/or information was contradictory regarding the usage of PII in those systems. If PII\n              information is in the system, a SORN was to be published in the Federal Register for any\n              new or intended use of personal information.                    We found that 11 of\n              38 required SORNs had not been published. Finally, of 8 Privacy Act Officers interviewed,\n              none were aware of key requirements such as formulating policy, handling privacy\n              incidents, and/or analyzing business flows for privacy implications.\n\n         b. Provide a qualitative assessment of the agency\xe2\x80\x99s progress to date in implementing the\n            provisions of M-06-15, Safeguarding Personally Identifiable information, since the most\n            recent self-review, including the agency\xe2\x80\x99s policies and processes, and the\n            administrative, technical, and physical means used to control and protect PII.\n\n              Response Categories:\n\n              -Excellent\n              -Good\n              -Satisfactory\n              -Poor\n              -Failing\n\n              Comments:\n\n              The Department had taken some steps to implement the provisions of OMB Memorandum\n              No. M-06-15, but had yet to fully achieve that goal. One positive step taken was the recent\n              granting of a blanket purchase agreement to encrypt mobile devices with a planned\n              completion date of March 31, 2008. Until this is fully implemented, the Department is very\n              susceptible to PII incidents as noted by the 50 such incidents which occurred during the\n              fiscal year. In addition, some legacy systems within the Department use the social security\n              number as the key component. We also found that there were at least 181 unencrypted\n              wireless access points within the Department, which could potentially broadcast PII in clear\n              text. 25\n\n\n\n24\n  Departmental Manual (DM) 3515-002, Privacy Impact Assessment, dated February 17, 2005.\n25\n  In computer networking, a wireless AP is a device that connects wireless communication devices together to form a wireless network.\nThe AP usually connects to a wired network, and can relay data between wireless devices and wired devices. APs had Internet Protocol\naddresses for configuration.\nUSDA/OIG-A/50501-11-FM                                                                                                    Page 18\n\x0cExhibit A \xe2\x80\x93 OMB Reporting Requirements and USDA OIG Position\n                                                                                                       Exhibit A \xe2\x80\x93 Page 14 of 16\n\n7.       Configuration Management\n\n         a. Is there an agency-wide security configuration policy? Yes or No.\n\n              Comments:\n\n              An adequate Departmental configuration policy did not exist with checklists for each\n              operating system. To determine the level of security and configurations within the\n              Department, we scanned six agencies\xe2\x80\x99 networks using commercially available software to\n              look for known security vulnerabilities. In addition, we reviewed the level of security\n              software patches that were applied at seven agencies. We found that (1) over 700 high risk\n              vulnerabilities 26 were present and unmitigated or the acceptance of risk was not\n              documented, and (2) over 240,000 patches were not applied to over 26,000 devices. We\n              also reviewed the running configurations of network routers, switches and firewalls at six\n              agencies using commercially available software. Our review disclosed over 900\n              configuration errors within those agencies\xe2\x80\x99 devices. In addition, we noted that some of\n              these agencies had stated in their July 2007 scorecard that they were 100 percent patched\n              and scanned. Agencies were not reporting their accurate security posture in the scorecards\n              and OCIO was not validating the information when received.\n\n         b. Approximate the extent to which applicable information systems apply common\n            security configurations established by NIST.\n\n              Response Categories:\n\n              \xe2\x80\xa2   Rarely, for example, approximately 0-50 percent of the time\n              \xe2\x80\xa2   Sometimes, for example, approximately 51-70 percent of the time\n              \xe2\x80\xa2   Frequently, for example, approximately 71-80 percent of the time\n              \xe2\x80\xa2   Mostly, for example, approximately 81-95 percent of the time\n              \xe2\x80\xa2   Almost Always, for example, approximately 96-100 percent of the time\n\n              NIST guidance states that \xe2\x80\x9cwhile the solutions to IT security are complex, one basic yet\n              effective tool is the security configuration checklist.\xe2\x80\x9d 27 The Department had issued\n              guidance to achieve this NIST requirement. 28 It issued checklists for some operating\n              systems which it required agencies to use on a yearly basis. We reviewed six agencies to\n              determine whether the Department\xe2\x80\x99s standard checklist for configuring systems were being\n              used. We found that checklists were not being used to configure the systems in four of six\n\n\n26\n   High risk vulnerabilities are those which provide access to the computer, and possibly the network of computers.\n27\n   NIST SP 800-70, Security Configuration Checklists Program for IT Products \xe2\x80\x93 Guidance for Checklists Users and Developers, dated\nDecember 2006.\n28\n   DM 3540-002, Risk Assessment and Security Checklists, dated April 19, 2004.\nUSDA/OIG-A/50501-11-FM                                                                                                 Page 19\n\x0cExhibit A \xe2\x80\x93 OMB Reporting Requirements and USDA OIG Position\n                                                                                      Exhibit A \xe2\x80\x93 Page 15 of 16\n\n                agencies and they could not provide documentation to support why the checklists were not\n                used. In addition, checklists were not available to the agencies until August 2007 because\n                they had been removed from the website and OCIO could not locate them. Fortunately,\n                OIG was able to provide copies from our previous audit work. Also, as noted in the fiscal\n                year 2006 FISMA audit report, not all checklists had been created. As a result, USDA\n                systems were vulnerable to many threats, ranging from remotely launched network service\n                exploits to malicious code spread through e-mails, malicious web sites, and file downloads.\n\n8.          Indicate whether or not the agency follows documented policies and procedures for\n            reporting incidents internally, to United States Computer Emergency Readiness Team\n            (US-CERT), and to law enforcement. If appropriate or necessary, include comments in\n            the area provided below.\n\n            a. The agency follows documented policies and procedures for identifying and reporting\n               incidents internally. Yes or No.\n\n            b. The agency follows documented policies and procedures for external reporting to US-\n               CERT. Yes or No. (http://www.us-cert.gov)\n\n            c. The agency follows documented policies and procedures for reporting to law\n               enforcement. Yes or No.\n\n                Comments:\n\n                OCIO made progress in tracking incident responses. During the fiscal year it implemented\n                the Cyber Security Incident Response Management database to facilitate tracking and\n                closeout of incidents. The database tracks the ticket number, open and close dates,\n                categories of incidents, PII information, and whether the incident was forwarded to other\n                Federal agencies. However, we found policies and procedures for incident handling were\n                not being followed and that incidents were not closed properly, timely, or reported to\n                necessary authorities. As a result, OCIO had limited assurance that improper actions were\n                being appropriately and timely handled and that security problems were being adequately\n                addressed. We reviewed the incident tracking database and found 92 of the 399 incidents\n                did not have documented closure within 30 days and that 75 incidents did not have US-\n                CERT numbers (agency officials stated that these were mainly false positives). However,\n                our review found that they should have been reported based on the US-CERT category in\n                the database. In addition, we found over 100 incidents that had not been reported to OIG,\n                as required by Departmental guidance, because OCIO did not have a standard distribution\n                list. 29\n\n\n\n29\n     DM 3505-001, Incident Response Procedures, dated March 20, 2006.\nUSDA/OIG-A/50501-11-FM                                                                               Page 20\n\x0cExhibit A \xe2\x80\x93 OMB Reporting Requirements and USDA OIG Position\n                                                                                                      Exhibit A \xe2\x80\x93 Page 16 of 16\n\n                Internet Protocol Address Database (IPAD) is vital to the timeliness of incident response.\n                IPAD is the Department\xe2\x80\x99s internet protocol (IP) address repository. This tool is used to\n                determine the agency and location of the device when an incident occurs. It includes\n                agency contact information, and whether PII is present on that system. Although the OCIO\n                had made progress in the implementation of IPAD, more work is needed. We found that\n                IPAD still did not have a complete and accurate listing of USDA IP addresses in the\n                Department\xe2\x80\x99s tracking database for three out of the six agencies reviewed. This was due to\n                a lack of management commitment to monitor IPAD to ensure that a complete and accurate\n                inventory of IP addresses was maintained.\n\n9.         Has the agency ensured security awareness training of all employees, including\n           contractors and those employees with significant IT security responsibilities?\n           Response Categories:\n\n           \xe2\x80\xa2    Rarely, or, approximately 0-50 percent of employees\n           \xe2\x80\xa2    Sometimes, or approximately 51-70 percent of employees\n           \xe2\x80\xa2    Frequently, or approximately 71-80 percent of employees\n           \xe2\x80\xa2    Mostly, or approximately 81-95 percent of employees\n           \xe2\x80\xa2    Almost Always, or approximately 96-100 percent of employees\n\n10.        Does the agency explain policies regarding peer-to-peer file sharing in IT security\n           awareness training, ethics training, or any other agency-wide training? Yes or No.\n\n11.        The agency has completed system e-authentication risk assessments. Yes or No.\n\n           We reviewed e-authentication risk assessments, required by OMB, at six agencies. 30 We found\n           one agency that did not use e-authentication. For the remaining, only one could provide\n           documentation to show it had conducted an assessment. The agencies were either unaware that\n           a separate risk assessment was required or were not aware of a requirement to keep the\n           documentation. Without doing and/or documenting a risk assessment for e-authentication there\n           is no assurance that business transactions have the required level of verification for\n           authentication. Authentication risks with potentially higher consequences require higher levels\n           of assurance.\n\n\n\n\n30\n     OMB Memorandum 04-04, E-Authentication Guidance for Federal Agencies, dated December 16, 2003.\nUSDA/OIG-A/50501-11-FM                                                                                               Page 21\n\x0c'